Banks list cyber risk as topmost concern in innovation in 2023 - CBK

In its latest banking sector innovation survey, the Central Bank of Kenya (CBK) says cyber risk was the topmost concern for financial institutions in their innovation endeavours in the one-year period to December 2023. 

According to the CBK, 97 per cent of banks and 71 per cent of microfinance banks (MFBs) identified cyber risk as one of the top three innovation-related risks.

The figures could be a reflection of the increasing number of cyber threats in the country over the years.

Data by the Communications Authority of Kenya (CA) shows Kenya witnessed increased cyber threats in the three months to December last year, with more than 1.2 billion cases recorded.

The increase recorded a 943 per cent jump from 123 million threats detected in the previous quarter (July–September). 

Operational, third-party management and compliance risks came in second, third, and fourth positions, respectively.

"Consistent with the 2022 innovation survey, liquidity risk remained the least considered innovation-related risk for both banks and MFBs, similar to the 2021 and 2020 innovation surveys," the report reads.

Despite the liquidity concern being the least of concerns, it was much greater in microfinance banks, at 43 per cent, compared to traditional banks at just five per cent, depicting the uncertain growth prospects of the microfinance segment.

CBK last month noted that the institutions' thinning revenues and weakening balance sheets have opened up the sub-sector to stiff competition and even acquisition by commercial banks.

"The MFBs' slow growth has raised viability concerns, as new players such as digital lenders target the same customer base," CBK said.

The 2023 survey also reveals that 79 per cent of the respondents expressed that they dealt with negative externalities caused by their products for their consumers, compared to 81 per cent in 2022.

On the other hand, institutions that did not experience any negative externalities credited this to a well-structured customer discovery and validation process to build customer-centric products and services.

New technology 

According to the Communications Authority of Kenya (CA), cybercriminals are resorting to using Al to execute attacks through social engineering, spreading malware, carrying out adversarial attacks, and compromising critical information infrastructure and Internet of Things (IoT) devices. 

AI-powered attacks, it adds, are more intricate, bypassing traditional security measures. Deep-fake agents are also using AI to develop new types of malware that can learn and adapt to security defences.

President William Ruto, while speaking at the graduation ceremony at the National Defence College in Karen, Nairobi, on May 30, urged military graduates to brace for more threats as the world advances, including the rise of artificial intelligence, which has multiplied digital threats as individuals can now generate believable images and fake news.

He added that through AI, they can also execute sophisticated identity theft and generate a virtual replica to impersonate actual people and commit crimes. Nonetheless, the president said that Kenya has multiple laws guiding cyber security and will also adopt more rules to cover new technologies.

President William Ruto inspects a guard of honour at the National Defence College graduation, in Karen, Nairobi, on Thursday, May 30, 2024. (Photo: PCS)

More solutions 

ICT Cabinet Secretary Eliud Owalo, while officially opening the Network of African Data Protection Authorities (NADPA-RAPDP) Annual General Meeting (AGM) and conference in Nairobi on May 7, stated that Kenya is actively reviewing an AI legal, policy, and regulatory framework that will guide the drafting of reforms and new policies that will also encompass other emerging technologies.

He recognised that AI is a challenge, with only the US and China enacting national policies to guide its adoption.

In May 2024, during President William Ruto's State Visit to the US, Kenya also sealed a strategic partnership with America aimed at strengthening cyber resilience and improving the safety and security of Kenya's digital landscape.

Kenya, the US, and tech giant Google, agreed to a joint initiative to launch a cybersecurity operations platform.

Parliament also, later on, approved new cybersecurity guidelines, the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations of 2024, to enhance the enforcement of the Computer Misuse and Cybercrimes Act, 2018.

Among the objectives of the new regulations are the establishment of a framework for monitoring, detecting, and responding to cybersecurity threats within Kenya's cyberspace and the creation of a structure for the setup and administration of cybersecurity operations centres.

The guidelines paved the way for the establishment of the Cybersecurity Operations Centres to curb emerging threats to cyber domains. The government, through the centres, will protect, preserve, and manage critical information infrastructure and also coordinate the collection and analysis of cyber threats.